Jake Moshenko
26cea9a07c
Merge remote-tracking branch 'upstream/master' into python-registry-v2
2015-09-17 16:16:27 -04:00
Silas Sewell
386c017d99
Add quay releases
2015-09-16 17:18:46 -04:00
Jake Moshenko
210ed7cf02
Merge remote-tracking branch 'upstream/master' into python-registry-v2
2015-09-04 16:32:01 -04:00
Quentin Machu
8a4c5a5491
Add newline char in syslog-ng config
2015-09-02 10:07:34 -04:00
josephschorr
62ea4a6cf4
Merge pull request #191 from coreos-inc/carmen
...
Add automatic storage replication
2015-09-01 15:04:36 -04:00
Joseph Schorr
724b1607d7
Add automatic storage replication
...
Adds a worker to automatically replicate data between storages and update the database accordingly
2015-09-01 14:53:32 -04:00
Jake Moshenko
3a0d28653b
Stop logging user and messages files in syslog
...
They contained duplicates of all of our app logs.
2015-09-01 11:44:15 -04:00
Joseph Schorr
31fdb94436
Enable rate limiting of V2 requests
2015-08-25 14:18:34 -04:00
Joseph Schorr
0c7839203e
Send the original host along to the registry code
2015-08-24 16:09:17 -04:00
Matt Jibson
5ce4702814
Merge pull request #329 from mjibson/fix-weak-dh
...
Fix weak DH configuration
2015-08-12 15:33:42 -04:00
Joseph Schorr
5bdd7ba990
Add support for custom favicon in ER
...
Fixes #340
2015-08-10 13:39:39 -04:00
Matt Jibson
c88edf8989
Fix weak DH configuration
...
The SSLLabs https://www.ssllabs.com/ssltest/ test reported a B rating for
our SSL configuration, mostly due to the weak DH confiugration we have,
which is vulnerable to the logjam attack. This is their recommended
configuration for nginx.
From: https://weakdh.org/sysadmin.html
This has been verified to work with docker 0.10.0.
2015-08-07 12:03:05 -04:00
Joseph Schorr
70de107268
Make GC of repositories fully async for whitelisted namespaces
...
This change adds a worker to conduct GC on repositories with garbage every 10s.
Fixes #144
2015-07-28 15:30:04 -04:00
Jake Moshenko
bc29561f8f
Fix and templatize the logic for external JWT AuthN and registry v2 Auth.
...
Make it explicit that the registry-v2 stuff is not ready for prime time.
2015-07-17 11:56:15 -04:00
Jimmy Zelinskie
68894a6cad
nginx: comment out last part of OCSP stapling
2015-07-14 18:07:53 -04:00
Jimmy Zelinskie
973aa601ef
nginx: "temporarily" disable OCSP stapling
2015-07-14 17:33:57 -04:00
Jake Moshenko
91b2c21789
Reference our certificate file as trusted to enable OCSP stapling.
2015-07-01 15:35:40 -04:00
Joseph Schorr
784a45372d
Make the doupdatelimits script optional
...
Without the `privileged` flag or the proper kernel capability, this command can fail the start of the container. With this change, we still print the error message, but don't fail container start. The downside of this command not running is a lower maximum connection count (128), which should be okay for most of our enterprise customers.
2015-07-01 15:13:36 +03:00
Jake Moshenko
ee154c37a8
Merge pull request #121 from coreos-inc/robots
...
Add support for custom robots.txt in conf/stack
2015-06-17 15:48:30 -04:00
Jimmy Zelinskie
3166c9a38f
nginx: recompile with SSL module, move directives
2015-06-16 12:30:25 -04:00
Joseph Schorr
191f84fd0b
Add support for custom robots.txt in conf/stack
...
Fixes #115
2015-06-11 12:33:21 -04:00
Jimmy Zelinskie
f7c81e2a34
binarydeps: tengine 2.1.0 -> nginx 1.8.0
...
nginx stable now has unbuffered uploading support, thus we are no longer
required to use tengine.
2015-06-08 15:35:56 -04:00
Jimmy Zelinskie
581d2fa4fc
nginx: move ssl config out of server-base
2015-05-22 16:25:28 -04:00
Jimmy Zelinskie
4323eb58da
nginx: SSL config into server-base.conf
2015-05-22 13:54:43 -04:00
Jimmy Zelinskie
f9f933feff
nginx: update cipher suite, HSTS, X-Frame-Options
2015-05-22 13:35:49 -04:00
Jimmy Zelinskie
60763d69b1
nginx: support OCSP Stapling
2015-05-20 16:32:12 -04:00
Jimmy Zelinskie
4689c00fad
nginx: drop SSLv3, support TLS 1.1 & 1.2
2015-05-20 16:31:32 -04:00
Jimmy Zelinskie
c44846103e
nginx: enable Strict Transport Security
2015-05-20 16:31:00 -04:00
Joseph Schorr
3f1e8f3c27
Add a RepositoryActionCount table so we can use it (instead of LogEntry) when scoring repo search results
2015-04-13 13:31:07 -04:00
Jake Moshenko
24cf27bd12
Route all of the logging through syslog-ng. Add the ability to specify extra syslog-ng config. Simplify the Dockerfile.
2015-03-26 09:22:47 -04:00
Jimmy Zelinskie
b4b06ec8c8
nginx: add comment explaining repo rate limiting
2015-02-25 12:32:48 -05:00
Jimmy Zelinskie
2a826f52d4
nginx: rename api rate limit bucket to verbs
2015-02-25 12:32:30 -05:00
Jimmy Zelinskie
ebff374408
nginx: tweak rate limiting; remove webapp limiting
2015-02-25 12:22:41 -05:00
Jimmy Zelinskie
ef61145b2c
Merge branch 'master' of github.com:coreos-inc/quay
2015-02-23 20:54:15 -05:00
Jimmy Zelinskie
7554c47a30
nginx: burst=5 for API calls
...
This means that requests are delayed until the client reaches the burst
rate and then they will receive the 429.
2015-02-23 20:53:21 -05:00
Jake Moshenko
a0833b7978
Fix the worker timeout for synchronous verbs workers.
2015-02-23 16:02:22 -05:00
Jake Moshenko
291c1c810b
Merge remote-tracking branch 'origin/hotfix'
...
Conflicts:
conf/proxy-server-base.conf
2015-02-19 17:37:44 -05:00
Jimmy Zelinskie
4a2b25200a
nginx: make rate limiting awesome
2015-02-19 16:24:05 -05:00
Jimmy Zelinskie
01811ee793
nginx: add missing semicolon
2015-02-19 13:31:49 -05:00
Jimmy Zelinskie
11c5632121
nginx: remove blacklisted IP
2015-02-19 12:46:03 -05:00
Jimmy Zelinskie
b7159293c1
nginx: create unauth/auth ratelimiting
...
This also removes nodelay on rate limiting and temporarily blacklists an
IP address.
2015-02-19 12:32:06 -05:00
Jake Moshenko
04b06547b8
Remove all of the timeouts since they were not doing the right thing anyway.
2015-02-18 17:04:25 -05:00
Joseph Schorr
f107b50a46
Merge branch 'master' into ackbar
2015-02-12 12:04:45 -05:00
Joseph Schorr
42db221576
Disable proxy server buffer changes
2015-02-11 16:25:09 -05:00
Jake Moshenko
0f3d87466e
Unify the logging infrastructure and turn the prod logging level to INFO in preparation for picking up a new cloud logger.
2015-02-11 14:15:18 -05:00
Jimmy Zelinskie
3abb5bf0a3
nginx: set proxy_buffer_size to 6MB
...
Because tags are included in our sessions, pushes containing many tags
will make our headers larger than the buffer nginx uses to send to the
client and then nginx is unable to validate the headers.
2015-02-10 15:48:27 -05:00
Joseph Schorr
9dfe523615
Merge master changes
2015-02-05 13:11:16 -05:00
Jake Moshenko
11562a74de
Remove the old builder infrastructure.
2015-01-29 11:03:23 -05:00
Jimmy Zelinskie
24365fb960
nginx: rate-limiting for /c1/
2015-01-26 15:42:56 -05:00
Jimmy Zelinskie
f99025f123
nginx: adjust proxy protocol rate limiting values
2015-01-26 15:03:27 -05:00